Overview

overview

10

Static

static

kp5fi12lDj7RlQU.exe

windows7-x64

10

kp5fi12lDj7RlQU.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/09/2022, 13:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    kp5fi12lDj7RlQU.exe

  • Size

    935KB

  • MD5

    06bacb8b46925876cd0e118fcf8fbe2d

  • SHA1

    1c53732662ae7bda1d8575a1e3e621f5345ae201

  • SHA256

    552f1eac89b16ae3e92398f85871bfd6e912f9b23526d46d3dac73ae2edd097d

  • SHA512

    dfa6ab63d13fdf3a09e1947385ba3119d5cee0c4f1b0162462d43e723852fe0cf81963f6540815271da4ccd299ff5670bb099983a2c30174840b8e2e6943db03

  • SSDEEP

    12288:wdV7uikFgEl8kQpaLnyb/WUtTehkj8N/XY58O8Hrexym/PaXCLkR:wlubgEGMcHWXwcekm/PaXakR

Score
10/10
formbookoe29ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oe29

Decoy

angelicamedinaconsultora.com

peckish.skin

didjyaknow.biz

rajendra-kulkarni.com

mmdkite.com

solidityconstruction.com

myfertilitypharmacy.com

midniighter.com

iconicresidentialadvisory.co.uk

askpropertiesng.com

internetwifijapan.com

yjiand.com

myadvanceonline.com

couryfeepay.com

sieuthiquocte.com

seapinefunds.com

jshxsj.com

pathfinancialservice.com

jacobjbrunner.com

yn1122.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:776
    • C:\Users\Admin\AppData\Local\Temp\kp5fi12lDj7RlQU.exe
      "C:\Users\Admin\AppData\Local\Temp\kp5fi12lDj7RlQU.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Users\Admin\AppData\Local\Temp\kp5fi12lDj7RlQU.exe
        "C:\Users\Admin\AppData\Local\Temp\kp5fi12lDj7RlQU.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:968
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4424
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\kp5fi12lDj7RlQU.exe"
        3⤵
          PID:1412

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/776-153-0x00000000034E0000-0x00000000035CE000-memory.dmp

      Filesize

      952KB

      Download

    • memory/776-152-0x00000000034E0000-0x00000000035CE000-memory.dmp

      Filesize

      952KB

      Download

    • memory/776-144-0x0000000003140000-0x0000000003228000-memory.dmp

      Filesize

      928KB

      Download

    • memory/968-141-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/968-143-0x0000000001510000-0x0000000001524000-memory.dmp

      Filesize

      80KB

      Download

    • memory/968-142-0x0000000001580000-0x00000000018CA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/968-139-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2356-137-0x0000000009640000-0x00000000096A6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2356-136-0x0000000009530000-0x00000000095CC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2356-135-0x0000000005A00000-0x0000000005A0A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2356-132-0x0000000000F70000-0x000000000105E000-memory.dmp

      Filesize

      952KB

      Download

    • memory/2356-134-0x0000000005B00000-0x0000000005B92000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2356-133-0x00000000060B0000-0x0000000006654000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4424-147-0x0000000000B90000-0x0000000000BBF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4424-146-0x0000000000440000-0x000000000057A000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4424-149-0x0000000002CC0000-0x000000000300A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4424-150-0x0000000000B90000-0x0000000000BBF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4424-151-0x0000000003010000-0x00000000030A3000-memory.dmp

      Filesize

      588KB

      Download